Weighing the costs, benefits of cyberinsurance

Most business owners whom Valerie Corekin works with do not consider the cyberinsurance plan they are weighing as crucial to their risk management strategy as life insurance is for their personal lives.

But business owners “who think that they don’t have to secure their data and IT technology with the same level of due diligence they use to protect their physical assets, such as on a building, are not making good decisions,” said Corekin, a senior risk adviser with PSA Insurance & Financial Services in the Washington, D.C., metro area.

Digital exposure is much greater than people realize. Instances of cyberattacks and breaches are growing, and so is the publicity surrounding them.

They also can be devastating, said Meredith Schnur, senior vice president of professional risk practice at Wells Fargo Insurance in New York City. Schnur and her group place network security and privacy liability insurance on behalf of all-size businesses. But settling lawsuits is just a glimpse of what an organization ends up paying after a cyberattack, Schnur said.

“Exposures to network risk and failure to protect computer systems from attack, which cause a leak of privacy, can result in individual or class action lawsuits,” she said. “Or, the exposure can delete, destroy or corrupt data, causing an organization to become inoperable. There are many ways a company could be financially injured by failure to protect computer systems and data.”

In the Rochester area, many insurers are recommending cybersecurity coverage for all their commercial clients, even small businesses.

John Bouchard, who manages Polestar Executive Management, a wholesale brokerage division of Brown & Brown of New York Inc., said maybe 10 to 20 percent of his Rochester-area clients have some form of coverage for cyberattacks, and the number is growing.

“My sense is that all our clients, publicly held companies, privately held companies and nonprofits, are asking the question,” he said.

In certain industries, it is absolutely essential, including banks, financial advisers, hospitals and universities, he noted. But other industries are following suit. After the Target Corp. breach was traced to a contractor who had inadvertently left the retailer’s computer system vulnerable while recording data on energy use, more companies are requiring their contractors to have coverage as a condition of the agreements they sign.

Ian Smith, president of the Gerard P. Smith Agency Inc. in Webster, said he raises the issue even with his small-business clients. Too many business owners assume hackers are targeting the big players and that small businesses are safe, he said. But virus-carrying emails can cause problems for anyone.

“It’s certainly the fastest growing risk to all business owners, but it takes time for that to filter down,” he said.

The costs of recovering from a data breach begin to incur before a breach is even declared. Schnur said 90 percent of organizations that have an incident, meaning there has been unauthorized access of data or malware has been detected, have to hire outside investigators.

Those computer forensics experts can run $50,000 to $75,000 a month, Bouchard said.

Many states, including New York, have breach notification laws, which means that if the initial incident review reveals perpetrators were in a system that warehouses confidential customer or employee data, the company has to notify all customers and employees, Schnur said.

“That’s the next step, and it can cost a lot of money,” Schnur said. “You may have to open a call center to handle the communications and hire public relations experts to manage your brand’s response.”

Organizations also may be required to notify the FBI, Secret Service and state and federal regulators. In New York, anyone conducting business in the state must notify the state attorney general, the State Police and the state’s Division of Consumer Protection of a data breach. State-based entities also must notify the Office of Information Technology Services’ Enterprise Information Security Office.

While not all states require a company to pay for credit monitoring for all employees and customers potentially affected by the breach, many organizations will foot the bill for a year as a show of goodwill.

“Before you’ve even been sued, you are already spending money,” Schnur said. “Cyberliability helps to cover these first-party costs as well as any settlement costs that may be incurred if an organization is sued.”

Before you buy

But how do you choose a reasonable cyberinsurance policy among the hundreds offered?

Evan Blair, co-founder and chief business officer with social media security and threat intelligence firm ZeroFox Inc. in Baltimore, said every business should first conduct an audit and establish a written corporate security policy, wherein cyberinsurance is included among various risk mitigation strategies as a sort of last line of defense. Make sure the policy looks to the potential impact — direct and indirect costs — that a breach would have on your business operations, as well as how your customers could be affected, he said.

Also, understand the precise limits of those policies and what steps have to be taken to maintain coverage—reputational damage from a high-profile breach, for instance, could prove to be outside the scope of a recoverable loss, Blair said.

“It’s about trust and reputation at the end of the day with your customers,” he said.

Coverage can range from $1 million to $15 million, though Smith said some policies are available with lower coverage limits. A policy with $1 million in coverage can run from $5,000 to $25,000 per year depending on the risk factors for a given business, Bouchard said. In addition to basic coverage for investigations, notifications and identity monitoring, businesses can also elect coverage for things such as extortion, business income loss or costs for network interruption.

“These are very customizable policies,” Bouchard said.

PSA, Corekin’s company, advises clients to ask themselves whether they can survive a temporary interruption or shutdown of operations or pay for the costs associated with, say, notifying exposed clients. There are at least 47 different sets of state laws that regulate internet breaches, she said, so make sure you are knowledgeable about your company’s potential responsibilities to secure its data. Some industries, such as health care, are highly regulated and have federal requirements that relate to electronic health care transactions.

Cyberinsurance policies, which have only been around for a decade, have many coverage options, but generally offer three buckets of coverage, Corekin said:

liability for security breaches when private information is released;

costs for items such as regulatory compliance fees, legal issues or the expenses associated with unlocking the system after a hack; and

business interruption expenses.

Note that most standard insurance policies, including business liability insurance, business interruption insurance or even computer fraud coverage, likely will no longer cover the fallout from a cyberattack, Corekin said.

Another point of potential confusion: Understanding the precise meaning of the terms associated with a breach of privacy. Buyers can quickly stray into the weeds when trying to figure out the precise meaning of terms in the policies such as “glitch” or “wrongful act,” but knowledgeable agents are good guides, she said.

Finally, if your firm operates around the clock and a breach could affect operations at any time, you will need a provider who will pick up the phone on a Friday or Saturday evening, Corekin said. In some states, you may only have 72 hours to meet regulatory deadlines to respond to a breach. Under New York State law, Attorney General Eric Schneiderman said, affected consumers must be notified “in the most expedient time possible consistent with legitimate needs of law enforcement agencies.”

But the good news, according to Bouchard, is that insurers are competing for business in this growing field, making it a good time to shop.

“It’s very competitive, and a lot of people are chasing the same clients, which is great for the clients,” he said.

Anne Saunders contributed to this story. Nick Stern is a frequent contributor to The Daily Record in Baltimore. Daria Meoli is a freelance writer who reports on business.